The United States Postal Service (USPS) has fixed a security vulnerability that exposed the data of 60 million people with accounts at usps.com throughout 2017 and 2018. Data exposed included phone numbers, street addresses, usernames, and phone numbers.
Krebs on Security reported that an independent researcher had informed USPS about the flaw more than a year ago but received no response. The Postal Service didn’t address the issue until this week after it was contacted by cybersecurity specialist Brian Krebs.
The security vulnerability has now been fixed, and USPS says it will continue to look into the issue “out of an abundance of caution.” The agency has said that it has no reason to believe that any of its users’ account details were accessed by hackers.
The bug stemmed from an authentication weakness in the usps.com API tied to a free USPS program called “Informed Visibility,” which lets users track their mail in “near real-time.” Before the loophole was closed, anyone with a standard usps.com account could view -- and in some cases, even modify -- the account details of other users.
“No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular web browser like Chrome or Firefox,” Krebs said.
In a statement, USPS officials stressed that they’re taking the issue seriously.
“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity,” the agency told Krebs.
“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”